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Abstract: Handover authentication protocol is a promising access control technology in the 
fields of WLANs and mobile wireless sensor networks. In this paper, we firstly review an 
efficient handover authentication protocol, named PairHand, and its existing security attacks 
and improvements. Then, we present an improved key recovery attack by using the linearly 
combining method and reanalyze its feasibility on the improved PairHand protocol. Finally, 
we present a new handover authentication protocol, which not only achieves the same 
desirable efficiency features of PairHand, but enjoys the provable security in the random 
oracle model. 
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1. Introduction 

In today's world, wireless communication networks are ubiquitous, and mobile handheld devices, 
such as PDAs, smart phones and laptop PCs, have a wide influence on various aspects of people's lives. 
To overcome the restriction of geographical coverage, seamless access services are highly desirable for 
WLANs and mobile wireless sensor networks (WSNs), but how to ensure the security and efficiency of 
this process is still challenging. Recently, as a promising seamless access control technology, handover 
authentication protocols have received much attention [1-12]. A handover authentication scenario is 
always assumed to involve three kinds of parties: mobile nodes (MNs), access points (APs) and the 
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authentication server (AS). An MN is a registered user on AS, who accesses its subscribed services by 
connecting any AP. An AP acts as a guarantor for vouching for an MN as a legitimate subscriber. When 
an MN leaves the service area of the current AP (e.g., API) and tries to connect a new AP (e.g., AP2), the 
new AP will start its handover authentication process to identify the MN. If the authentication succeeds, 
a session key will be built between the MN and AP2 to escort the MN's later access. Otherwise, the 
requirement for accessing will be rejected by AP2. A promising application of this kind of protocol 
appears in three-tiered mobile WSNs [13], which consist of a base station, access points, mobile agents 
and sensor nodes. In the highest layer, the base station works as the AS to deploy access points and 
to register mobile agents by granting the corresponding authentication keys. The access points are the 
APs with the task of receiving and verifying the message from the medium layer. The medium layer 
is composed of the mobile agents, which can be mobile phones, vehicles, men and even animal, acting 
as the MNs and responsible for gathering data from the sensor nodes in the lowest layer and, then, 
forwarding to the upper layer. 

Recently, He et al. [14] introduced an interesting handover authentication protocol, named PairHand. 
For improving the communication efficiency and reducing the burden on AS, PairHand only requires two 
handshakes between MN and AP for mutual authentication and key establishment, instead of relying on 
the participation of AS. Furthermore, considering the high cost and the inconvenience of revoking users 
due to using a group signature in the authentication process, PairHand makes its construction directly 
based on the pairing-based cryptography and uses a pool of shorter- lived pseudonyms to protect users' 
privacy. Unfortunately, shortly after, He et al. [15] found that there is a serious design weakness in 
PairHand protocol that enables an adversary to easily obtain the private key from the message transported 
in the first round of the protocol and presented an improvement by utilizing a composite order bilinear 
group, claiming that the improved version fixes the security problem without losing any of the desirable 
feature of PairHand. However, Yeo et al. [16] showed that if an attacker obtains multiple authenticated 
messages generated with the same pseudo-ID, it will be likely to recover the private key of the mobile 
node. Furthermore, Yeo et al. [16] and Tsai et al. [17] pointed out another dilemma of the improved 
version that suggested that the 1 60-bit composite is insecure, but using a 1 ,024-bit composite-order group 
will lead to a great drop in the efficiency. At the same time, Tsai et al. [17] presented a provably secure 
handover authentication protocol, which solves the above security problem, but increases the size of the 
public key. 

In this paper, we provide a linear combination method to reduce the number of captured 
signatures corresponding to the same pseudo-ID required by the key recovery attack on the improved 
PairHand [15]. By repeatedly linearly combining arbitrary two-captured signatures from the same 
pseudo-ID in a random way, the attacker can compute out the private key of MN with a very high 
probability. To improve the security without losing the desirable features, we present a new handover 
authentication protocol that overcomes the security weakness of the original PairHand and achieves the 
same level of high efficiency. Finally, in the random oracle model, we prove that this protocol enjoys 
both semantic security and authentication security. 
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2. The Bilinear Maps and Complexity Implications 

In this section, we briefly recall bilinear maps and some difficult problems that will be used in the 
followings. 

Let G be a cyclic additive group of composite order q and Gj be a cyclic multiplicative group of the 
same order. Let e:GxG-> G T be a bilinear map that satisfies the following properties. 

• Bilinearity: e(aP, bQ) = (P, Q) ah for VP, Q e G and Va, b e Z*. 

• Non-degeneracy: e(P, P) ± 1 for P £ 0. 

• Computability: there exists an efficient algorithm to compute e(P, Q) for Vi 5 , Q e G. 

Computational Diffie-Hellman (CDH) assumption: Given P,aP and bP for some a, b e Z*, it is 
computationally intractable to compute the value abP. 

Bilinear Diffie-Hellman (BDH) assumption: Given P,aP,bP and cP for some a,b,c e Z*, it is 
computationally intractable to compute the value e(P, P) abc . 

3. Security Model 

Generally, there are two kinds of handovers: a hard handover and a soft handover. The difference 
between them is that in a hard handover, the former connection with API is broken before the 
new connection is established between MN and AP2, while in a soft handover, MN can retain the 
connection with API after building the new connection with AP2. For simplicity, it is assumed that 
there is no communication among APs and that handover authentication protocols perform in the hard 
handover model. In the following, we present the formal security model for handover authentication 
protocols, which follows the approach initiated by Bellare and Rogway [18,19] and modified by 
Bresson et al. [20]. 

3.1. Communication Model 

Protocol participants: In the model, there are two kinds of participants: mobile node MN and access 
point AP, which have unique identities ID M n and ID AP , respectively. Each instance of a participant {U 
or V) is molded as an oracle, denoted by H" MN (n^ p , respectively), meaning the n-th running instance of 
the participant MN (AP, respectively). 

Protocol execution: In the model, it is assumed that an adversary !ft fully controls over the 
communication channels and can create several concurrent instances of the protocol. The public 
parameters params and identity information are known to all participants, including the adversary. 
During the execution of the protocol, the interaction between the adversary and the protocol participants 
occurs only via oracle queries, which models the adversary capabilities in a real attack. At any time, the 
adversary makes the following queries: 

(1) Execute{JM\j,VL^)\ This query models passive attacks, where the attacker gets access to honest 
executions between instances IT^ and Ily by eavesdropping. The output of this query is the 
complete transcript that was transported during the honest execution of the protocol. 
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(2) S end(H'lj, M): This query models an active attack against an MN or AP, in which the adversary 
sends a message to the instance IT^. The output of this query is the message that the instance IT^ 
generates upon receipt of the message M. 

(3) RevealiHy): This query models the misuse of session keys. Only if the session key of the instance 
Ily is defined, the query is available and returns to the adversary the session key. 

(4) Test(Tl'{j): This query is to measure the semantic security of the session key of instance IT^: If 
the session key is not defined, it returns J_. Otherwise, it returns either the session key held by the 
instance if b = 0 or a random number of the same size if b = 1 , where b is the hidden bit previously 
selected at random before the protocol runs. 

(5) Corrupt(IDu): This query models the exposure of the long-term secret key. When the adversary 
makes this query, the oracle returns the private key corresponding to ID V . 

3.2. Security Definitions 

Notation: An instance IT^ is said to be opened if the query Reveal{JM\^) has been made by the 
adversary. We say an instance IT£, is unopened if it is not opened. An instance IT^ is said to be accepted 
if it goes into an accept state after receiving the last expected protocol message. 

Partnering: We say two instances 11^ and Tiy are partners if the following conditions are met: (1) 
they are an MN and an AP, respectively; (2) both 11^ and are accepted; (3) both IT^ and 11™ share the 
same session ID sid; (4) the partner identification for IT^ is Tl™ and vice versa; and (5) no instance other 
than Ily and accepts with a partner identification equal to IT^ or II™. 

Freshness: If an instance 11^ has been accepted, both the instance and its partner are unopened and 
they are both instances of honest clients, we say the instance IT^ is fresh. 

Semantic security: The security notion is defined in the context of executing an ID-based handover 
authentication protocol P in the presence of an adversary ZR. During the protocol execution, 3\ is allowed 
to make multiple Execute, Send and Reveal queries, but at most, one Test query, to a fresh instance of an 
honest participant. Finally J{ outputs a bit guess V for the bit b hidden in the Testoracle. The adversary 
J?I is said to be successful if b' = b. We denote the event by Succ and define the advantage of Jl in 
violating the semantic security of the protocol P as follows: 

Adv^ P (k, t) = 2- Pr[Succ] - 1 

where k is the security parameter and t is the time parameter. 

We say a handover authentication protocol P is semantically secure if the advantage 
AdVtf P (k, t) is negligible. 

Authentication security: To measure the security of a handover authentication protocol resisting 
the impersonation attacks, we consider the mutual authentication between MN and AP. We denote 
by Auth^ N p ~^ AP (k, t) (or Auth A ^ Mh l (k, t), respectively) the probability that an adversary successfully 
impersonates an MN instance during executing the protocol P, while the target AP (or MN, respectively) 
does not detect it, where k is the security parameter and t is the time parameter. We say a handover 
authentication protocol P is mutual authentication secure if both Auth^ N p ^ AP (k, t) and Auth A ^ Mh '(k, t) 
are negligible in the security parameter. 
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4. Review of the Protocol 

In this section, we review He et al.'s improved protocol [15], which is very similar to the 
original PairHand and consists of four phases: system initialization, handover authentication, batch 
authentication and denial-of-service (DoS) attack resistance. The only differences between the two 
versions appear at the selection of the group order in the system initialization phase and the computation 
of the hash value of the authentication message in the handover authentication phase, and our attack 
is exactly to address these two phases. Below, we only review the first two phases of the improved 
PairHand protocol. For more details, please refer to [14]. 

4.1. System Initialization 

The AS randomly chooses a value s e Z* as the master key and a generator P of G, computes 
the corresponding public key P pub = sP and selects two cryptographic hash functions Hi and H 2 , 
where Hi : {0, 1}* — » G and H 2 : {0, 1}* — » Z*. The resulting public system parameter, params, is 
{G, G T ,q, P, Ppub,H\,Hi}, and the private secret of AS is s. For each AP, AS computes Hi{ID AP ) and 
sHi(ID AP ) as the public and private keys of that AP, respectively, and delivers them to the AP via a 
secure channel, where ID AP is the identity of the AP. 

For the registration of a qualified MN i with real identity ID h AS generates a family of unlinkable 
pseudo-IDs PID = {pidi, pid 2 , • • • }, computes the public key Hi(pidj) and the corresponding private 
key s ■ Hi(pidj) for each pseudo-ID pidj e PID and, finally, securely sends to MN i all tuples 
{pidj, sH lipid j)). The use of shorter-lived pseudonyms is to protect each MN's privacy, preventing 
them from being traced. 

4.2. Handover Authentication 

When an MN, say i, moves into the communication range of a new AP (AP2), a handover 
authentication process, which is shown in Figure 1, will be performed between MN i and AP2 in the 
following steps. 

(1) MN i firstly picks an unused pseudo-ID pidi from his pseudo-ID family and the corresponding 
private key sHi(pidi). Then, MN i generates an authentication message as M,- = pidi\\ID A p 2 \\ts, 
where ts is a timestamp, which is used to resist against replay attacks and "||" denotes the 
concatenation of messages and checks whether H 2 (M{) and q are co-prime or not. If H 2 (M t ) and q 
are not co-prime, it does nothing; otherwise, it continues to append redundant bits rb into M, until 
H 2 (M { ) and q are not co-prime. After that, MN i computes the signature cr, = H 2 {Mi) ■ sHi(pidj) 
and unicasts the access request message [M u cr,-} to AP2. Finally, MN i computes the session key 
with AP2 as K t _ % = e(sHi(pidj),Hi(ID AP2 )). 

(2) Upon receiving the request message {M,-, cr,}, AP2 firstly checks whether the timestamp ts is valid. 
If invalid, the request is rejected. Otherwise, AP2 verifies if e(cr h P) = e(H 2 (Mi) ■ Hi(ID pidj ), P pu b). 
If true, AP2 computes the session key K 2 t = e(Hi(pidj), sHi(ID AP2 )) and the authentication code 
Aut = H 2 {K 2 -i\\pidi\\ID AP2 ) and, then, sends the tuple {pidi, ID AP2 ,Aut} to MN i. 
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(3) Upon receipt of the message {pidi,ID AP2 ,Aut}, MN i computes the verification code 
Ver = H 2 (Ki-2\\pidi\\ID A p2) and compares it with Aut. If they are equal, MN i confirms that 
AP2 is legitimate, and the generated session key is valid. Otherwise, MN i cancels the connection. 

(4) At last, AP2 securely transports {M h <x,} to AS. By receiving this message, AS can identify the real 
identity of MN i according to the pseudo-ID in M,-. 

After successfully executing the handover protocol, MN i and AP2 share a session key, since 
Kt_ 2 = eisH.ipiddXH^ID^)) = e(H 1 {pid i ),Hi{ID AP2 )y = e^pidd, sH^ID^)) = K 2 _ t . 
Furthermore, the use of a pseudo-ID enables unilateral anonymous authentication for the MN i, and 
each session is uniquely identified by (pidj, ID AP2 ). 



Figure 1. The handover authentication phase in He et al. 's improved PairHand protocol. 
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5. Attack on the Protocol 

For the original PairHand protocol, what enables an attacker to recover the private key sHi(pidi) 
is that when H 2 (Mi) and q are co-prime, he can use the inverse u of H 2 (Mj) modulo q to get 
u ■ o-j = u ■ H 2 (Mj) ■ sHiipidj) = sH \{pid ^)(modg), since u • H 2 (Mf) = l(modg). The countermeasures of 
He et al. [15] are to restrict the group order q to be a composite and to append redundant bits into the 
request message M, to ensure that the resulting H 2 (Mj) and q are not co-prime. By doing this, it seems 
that the private key sHi(pidi) will not be exposed by the signature cr,, since there is no modular inverse 
for H 2 (Mi). 

However, the following attack will show that He et a/.'s improved protocol [15] does not eradicate the 
design weakness. Our attack is based on the assumption [6] that adversary has total control over all 
communication channels between AP2 and MN i. This means that the adversary may intercept, delete or 
modify any message in the channels. Suppose that MN i requests the service of a new access point AP2 
by sending the message {M u cr) (where M ; = pidi\\ID AP2 \\ts\\rb and cr,- = H 2 {Mj) ■ sHi(pid t )) in a wireless 
channel, which is dominated by the adversary interrupts the request message, so that MN i will 

not receive the response from AP2. After a certain delay, MN i will regenerate a new request message 
(M ( ',cK) and send it to AP2, where M\ = pidi\\ID AP2 \\ts'\\rb' , a\ = H 2 (M' i ) ■ sHi{pid t ), ts' denotes a new 
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timestamp and rb' is a new redundant bit string. Since 3\ controls the whole network communication, 
it can easily capture the new message. Once the adversary J?I owns two authentication messages (M,, cr) 
and (MpO-p corresponding to the same pseudo-ID pid h it randomly selects two values x\,x 2 e 7L q 
and computes: 

a = (x 1 ■ o-i) + (x 2 ■ o--) 

= ( Xl ■ ^(MdsH^pidd) + (x 2 ■ H^sH^pidd) 
= ( Xl ■ H 2 (Md + x 2 ■ HjiM'^sH^pidt). 

Then, J\ directly computes ft = (x\ ■H 2 {M i ) + x 2 ■ H 2 (M.))(modq) by using M t and M\ and checks whether 
f3 and q are co-prime. If yes, it generates y = (x\ • H 2 (Mi) + x 2 ■ H 2 {M'^)~ X (mod^) and computes the 
private key sHi(pidi) = y ■ a. Otherwise, it reselects random values x\,x 2 and computes a and ft again, 
until f3 and q are co-prime. 

As q is a randomly generated system parameter, M, and M\ are random messages and x\ and x 2 are 
randomly chosen from Z p , we can approximately view q and f5 = (x\ ■ H 2 (Mi) + x 2 ■ H^M'^imodq) as two 
independent random numbers. Let {pi,p 2 ,p3, • • ■ } denote the ascending sequence of all prime numbers, 
and let p k be the largest prime number less than q. The probability that {3 is divisible by a prime p t is j, 
where i < k, and the same fact holds for q. Therefore, the probability that the two numbers f3 and q are 
both divisible by this prime number is \, whilst the probability that at least one of them is not is 1 — \. 
Thus, the probability of the success of our attack for one time, P success , which is equal to the probability 
that yS and q are co-prime, is: 




Obviously, a natural way to cope with the above attack is to ensure that each pseudo-ID is used only 
one time, regardless of whether the AP responds correctly, which will require different signatures to 
correspond to different pseudo-IDs. As a consequence, it is impossible for an adversary to compute 
out the private key by using linear combinations of two signatures. However, this countermeasure will 
largely reduce the availability of the handover authentication protocol and give rise to more serious 
security problems, as shown as follows. When an MN moves and leaves from the service range of its 
old AP, it will attempt to connect to and identify a new AP by instantly sending authentication messages. 
Once a pseudo-ID is used only one time, an attempt to connect will cost one pseudo-ID of the MN, 
which will cause a great waste on the pseudo-IDs and force the MN to store a much larger number of 
pseudo-IDs. However, mobile nodes are often lightweight devices and have limited storage spaces, this 
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makes them unable to afford a large number of redundant pseudo-IDs. Additionally, the increase of the 
number of pseudo-IDs will lead to the growth of the length of pseudo-IDs, which deeply affects the 
efficiency of the computation and the communication of the whole wireless network. More seriously, if 
there is an adversary who always interrupts the request authentication message of an MN, the MN will 
eventually use up all its pseudo-IDs and be out of the service of the system, due to instantly repeating the 
request. Such an attack can be avoided by using additional precautions, such as delaying the response 
or introducing exponentially increasing delays after failed attempts and switching to other AP after 
an excessive amount of failures. However, all of these measures are very costly and can cause more 
additional risks, which is contrary to the design rational of PairHand. 

6. Our Handover Authentication Protocol 

According to the above analysis, the point to overcome the security weakness of the two PairHand 
protocols is to provide a secure authentication mechanism for the first message transmission. Below, 
we provide a simple scheme, which not only eliminates the security risks mentioned above, but 
greatly preserves the desirable efficiency features of the original protocol. Similar to PairHand, the 
proposed scheme is composed of four phases: system initialization, handover authentication, batch 
authentication and DoS attack resistance, where the first phase and the fourth phase are the same as 
those of the PairHand protocol. For the sake of completeness, all of the four phases are fully described in 
the following. 

6.1. System Initialization 

Let G be a cyclic additive group of composite order q and G T be a cyclic multiplicative group of the 
same order. Let P be a generator of G and e be a bilinear map c:GxG->G r . 

The AS randomly chooses a value s e Z* as the master key, computes the corresponding public 
key P pub = sP and selects two cryptographic hash functions Hi and H 2 , where Hi : {0, 1}* — » G and 
H 2 : {0, 1}* —> Z*. The resulting public system parameter, params, is {G, G T , q, P, P pu b, Hi,H 2 }, and the 
private secret of AS is s. For each AP, AS computes Hi(ID AP ) and sHi(ID AP ) as the public and private 
keys of that AP, respectively, and delivers them to the AP via a secure channel, where ID AP is the identity 
of the AP. 

For the registration of a qualified MN i with real identity ID h AS generates a family of unlinkable 
pseudo-IDs PID = [pid\, pid 2 ,- ■ ■ }, computes the public key H\{pidj) and the corresponding private 
key s • H lipid j) for each pseudo-ID pidj e PID and, finally, securely sends to MN i all tuples 
(pidj, sH \(pid j)). 

6.2. Handover Authentication 

When an MN, say i, moves into the communication range of a new AP (AP2), a handover 
authentication process will be performed between MN i and AP2 in the following steps. 

(1) MN i firstly picks an unused pseudo-ID pidj and the corresponding private key sHi(pidi) and 
computes M,- = (pidi\\ID AP2 \\ts), where ts is the timestamp. Then, MN i chooses a random value 
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r,- 6 Z*, which is a nonce, computes R t = r t P and <x, = H 2 {M i \\R i ) ■ sH^pidj) + riP puh and unicasts 
the access request message M, and its signature pair {R u en) to AP2. Finally, it computes the 
session key with AP2 as K^ 2 = e(sHi(pidi), Hi(ID AP2 )). 

(2) Upon receiving the message {M h r t , cr,}, AP2 checks the timestamp ts. If invalid, the request 
is rejected. Otherwise, AP2 verifies if e{o- i ,P)=e{H 2 {Mi\\R i )Hi{pid i ) + Rj,P pu b). If true, 
AP2 computes the session key K 2 -t = e(Hi{pidj), sH{(ID AP2 j) and the authentication code 
Aut = H 2 (K 2 -j\\pidi\\ID AP2 ) and, then, sends the tuple {pidi,ID AP2 ,Aut\ to MN i. 

(3) Upon receipt of the message {pidi,ID AP2 ,Aut}, MN i computes the verification code 
Ver = H 2 (Kj_ 2 \\pidi\\I D AP2 ) and compares it with Aut. If they are equal, MN i confirms that AP2 
is legitimate and that the generated session key is valid. Otherwise, MN i cancels the connection. 

(4) At last, AP2 securely transports {M h cr,} to AS. By receiving this message, AS can identify the real 
identity of MN i according to the pseudo-ID in M,. 

The handover authentication phase of the proposed scheme is also shown in Figure 2. 



Figure 2. The handover authentication phase in our protocol. 
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6.3. Batch Authentication 

A mass of signature verifications is likely to cause the potential bottleneck at APs. Batch 
authentication [14] is a desirable feature to solve the problem, which allows APs to verify multiple 
signatures simultaneously. Its advantage lies in that the total computation cost in the verification 
performed by APs can be apparently reduced. 
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Our protocol still enjoys the batch authentication feature. Suppose n request messages {M\,R\,o~\}, 
{M 2 ,R 2 ,o- 2 }, ■ ■ ■ , {M n ,R n ,cr n }, come simultaneously from n distinct MNs, MN 1, MN 2, • • • , MN n, 
respectively. The target AP can perform a batch verification on these n signatures as follows: 

n 

(=i 

n 

= e^HiWiWn) ■ sHxipidd + nP pub ), P) 
(=1 

n 

= e(^yH 2 {Mi\\ri) • sH^pidd + nsP), P) 

i=l 
n 

= e(£(H 2 (.Mi\\rd ■ Hfaidd + R t ), P pub ) 

From the above equation, it is obvious that the computation cost of verifying n signatures is 
dramatically reduced to n point multiplication and two pairing operations by using the batch processing. 

6.4. DoS Attack Resistance 

In the handover authentication circumstance, DoS attack is an attempt to exhaust the resources of AP 
and AS and make them unavailable to its intended partners. A usual manner adopted by the adversary 
is to inject bogus access requests to the networks, forcing the APs to perform expensive cryptographic 
verifications and eventually exhaust their resources. 

The proposed scheme still adopts the polynomial-based lightweight verification of PairHand [14] 
to resist the DoS attack. In the system initialization phase, AS randomly generates a bivariate /-degree 
polynomial f(x, y) = Y>\ j=o a ij x 'y j over a prime field F p , such that f(x, y) = f(y, x). When MN i registers 
to AS, for each pseudo-ID pidj, AS computes f(pidu y), which is a polynomial share of f(x, y), and then 
securely transmits them to MN i. Furthermore, AS computes and deliveries f(ID AP , y) to each AP, where 
ID AP is the identity of the AP. As the evaluation of the polynomial is very fast [14], each AP can perform 
a lightweight verification on the access request from MN i by checking f(pidi, ID AP ) = f(ID AP , pidi), 
where the former is computed by MN i with f(pidj, y) at point ID AP and the later is done by the AP 
with f(ID AP , y) at point pidj. Once an AP is under attack, it starts the above measure, adding "Yes" and 
its identity into the beacon messages. As a result, DoS attack can be effectively mitigated, since each 
AP can promptly verify the authorized user with the communication key before conducting expensive 
cryptographic verifications. 

6.5. Security Analysis 

Theorem 1. Assume hash functions H\ andH 2 are random oracles. Let 3\be a probabilistic polynomial 
time Turing machine. Let Q s , Q\ and Q 2 respectively denote the number of queries that 3\ can ask 
of the Sendoracle, the number of queries that J{ can ask of the H\ random oracle and the number of 
queries that 3K can ask of the H 2 random oracle. If the attacker J\ can successfully violate the MN-to-AP 
authentication security of the protocol within time T, with probability e > 10(Q S + l)(Q s + Q 2 )lq, then 
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another probabilistic polynomial time Turing machine S can be built to utilize J\ to break the CDH 
problem in expected time T' < \206%6Q\Q 2 T/s. 

Proof. Suppose that the attacker S is given a challenging CDH triple (P, aP, sP) and its goal is to 
compute asP. S runs 3\ as a subroutine and simulates the environment for attacking the protocol. 
According to the challenging instance, & provides the public parameters (G, G T , e, q, P, P pub , Hi,H 2 ), 
such that Pp^ = sP. 

Without loss of generality, we assume that for any pseudo-ID, the adversary Jl invokes Hi, H 2 , Send, 
Execute and Corrupt at most once. To provide consistent responses for these queries, S maintains two 
lists L H[ and L Hl , which are initially empty. 

Hi-query: When J{ invokes an H\ query for pidi, S checks whether pidj = pidu- If yes, S returns aP. 
Otherwise, S returns a randomly selected value h e G and appends < pidu h > into the list L Hl . 
H2-query: When Sfl. invokes an H 2 query for messages (m,R), S returns a random number f e and 
stores < m,R,t >. 

Corrupt-query: If the queried pseudo-ID is legal and is not equal to pidu, searches the corresponding 
item in the list L#, according to the pseudo-ID and then returns the secret key. Otherwise, S returns J_. 
Execute-query: This query is responded to by invoking the corresponding Send queries. 
Send-query: When invokes a send(IT",m) query, simulator S extracts pidi involved in the query 
and uses it to invoke query H\. Then, S randomly chooses r,, t e Z*, computes <r ; = riP pu b, 
Rj = r t P - tHi(pidi) and stores the item < m,Ri,t > in the list L Hl . Finally, it outputs (pidj,Ri,cri). 
If there is no collision of queries to the random oracle during the process, S can successfully simulate 
the protocol environment in front of Jl, due to the fact that the probabilities of the duple (a,/3, y, 8), such 
that [3 6 Z* , a,y,5 e G and e(y, P) = e(J3a + 5, sP) appear, the following two distributions Y and F are 
the same. 



r 



(h, t,o-,R) 



r, t e R Z* 
he R G 
R = rP-th 
cr = rsP 



and T 



(h, t,o-,R) 



r, t £ R Z* 
he R G 
R = rP 
cr = tsh + rsP 



According to the Forking lemma [21], if J{ outputs a valid authentication message tuple 
(pidu,m,cr,R), after a polynomial replay of the attacker with the same tape, but different choices 
of H 2 , S obtains two valid message tuples (pidu,m,o~ = tsaP + rsP,R = rP) and {pidjj,m, 
cr' = t'saP + rsP,R = rP) with t ± t' and eventually resolves the CDH challenge by computing 
asP = (cr - o J )/(t - t'). □ 

Additionally, the probability of that the two forged authentication messages correspond to pidu is 
As a result, the upper bound of the expected time for breaking the CDH problem will be expanded 
<2j-times the one in the Forking lemma. 

Theorem 2. Assume hash Junctions Hi and H 2 are random oracles. Let Jibe a probabilistic polynomial 
time Turing machine. If the attacker J{ can successfully violate the AP-to-MN authentication security of 
the protocol, then another probabilistic polynomial time Turing machine !B can be built to utilize jR. to 
break the BDH problem. 
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Proof. Let (P, aP, bP, sP) be the BDH instance provided to the simulator S. To simulate the 
attacking environment for Jl, S publishes the public parameters (G, Gt, e, q, P, P pu b, Hi,H 2 ), such that 
Ppub = sP an d maintains two hash lists L Hl and L Hl , which are initially empty. Without loss of generality, 
we assume that for any pseudo-ID or AP identity, the adversary Jl invokes Hi, H 2 , Send, Execute 
and Corrupt at most once. Let Q M and Q A be the number of queries that Jl can ask of the random 
oracle Hi for MN nodes and the number of queries that J?I can ask of the random oracle Hi for AP 
nodes, respectively. & guesses the target session between the MN pidu and the AP ID V , which are 
randomly chosen. 

-query: If Jl makes an Hi query for pid v , & returns aP. If the query is for the AP identification ID V , 

5 returns bP. Otherwise, S returns a randomly selected value h e G and adds < pidu h > or < ID V , 
h > into the list L Hl . 

H 2 -query: When Jl invokes an H 2 query for messages M, S chooses a random number t e Z q , stores 
< M,t > the list L Hl and then returns it. 

Corrupt-query: If the queried identity is legal and is not equal to pid v and ID V , & searches the 
corresponding item in the list L Hl according to the identity and then returns the secret key. Otherwise, 

6 returns J_. 

Execute-query: This query is responded to by invoking the corresponding Send queries. 

Send-query: There are two types of Send queries: MN-to-AP and AP-to-MN, denoted by Send! and 

Send!, respectively. & answers them by invoking the Hi and H 2 queries. 

• If the query is Sendl, simulator S randomly chooses r u t e Z* and computes <r ; = riP puh , 
Rj = r { P - tHiipidi) by invoking Hi queries with ID t . Then, it adds the item (m, R h t) in the 
list L Hl and outputs message tuple (pidi,Ri, cr ; ). 

• If the query is Sendl, simulator & checks whether e(o- h P)=e(H 2 (Mi\\Ri)Hi(pidi) + R h P pub ). 
If false, & outputs "_L". Otherwise, & chooses a random value k e G T and computes 
aut = H 2 (k\\pidj\\IDj) by making the H 2 query. Finally, it returns the message tuple (aut\\pidi\\IDj). 

The success of S breaking the BDH problem denotes the event that pidu and ID V are partners and 
asks the H 2 query with a tuple (K\\pidu\\ID v ) where K = e(P, P) ahs . According to the above simulation, 
the probability that pidu an d ID V are partners is 1/QmQa- Therefore, if Jl outputs a valid authentication 
message with probability s, the probability of the success of & is less than s/Q m Qa- □ 

Theorem 3. Assume hash functions Hi and H 2 are random oracles. If the protocol enjoys the mutual 
authentication security, it is also semantically secure. 

Proof. To prove the semantic security for the protocol, we apply the same simulation way used in 
proving Theorem 2. Let Fi (or F 2 , respectively) denote the event that the attacker successfully forges 
an MN-to-AP (or AP-to-MN, respectively) authentication message. Let 5 0 (or Si, respectively) denote 
the event that in the real (or simulated, respectively) attacking game, the attacker successfully guess 
the challenge bit involved in the Test oracle. If both the events F x and F 2 do not happen, the real and 
simulated games proceed identically, and we get the following equation: 



Pr[S 0 A- Fi A- F 2 ] = Pr[Si A^ F x tC F 2 ]. 
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On the other hand, it is obvious that in the simulation, the attacker cannot obtain any information about 
the protocol session key, since the session key is a randomly chosen value not related to any message 
transported in the public information channel. This means that the attacker can only guess the hidden 
bit, so that Pr[S i] = 1 /2. Following the difference lemma [22], we get 

\Pr[S 0 ] - Pr[Sx]\ < Pr[F l V F 2 ] < Pr[F,] + Pr[F 2 ]. 

According to the definition of the semantic security for the protocol, then we have Adv^p(k, t) < 2 ■ 
(Pr[Fj] + Pr[F 2 ]) = 2 ■ Auth™y AP {k, t) + 2 • Auth^ MN (k, t), □ 

6.6. Performance Comparison 

Compared with the existing handover authentication protocols, the proposed protocol has the advantage in 
communication, computation and security. For those protocols prior to PairHand [1-4,6-10,12], its 
superiority comes through the low burden on AS, the two-run handshakes between MN and AP, the 
batch authentication and the privacy protection for MN. To evaluate its advantage over the post-PairHand 
protocols [14,15,17], we mainly consider its performance superiority on secret key size, computational 
cost and security features. In Table 1, we present the comparison results on these aspects among 
He et a/.'s improved PairHand [15], Tsai et a/.'s [17] protocol and our scheme. For computational cost, 
we focus on the time spent on the high cost operations, such as the time spent on the paring operations 
(T p ), the time spent on the multiplications on the elliptic curve (T m ) and the time spent on the search for 
non-co-primes (r s ), while the time spent on highly efficient operations, such as the hash function and 
the scalar addition on the elliptic curve, is neglected. The estimate of the time consumption at an MN is 
based on He et a/.'s work in [14,15], where by using the MNT curve with the order of 160 bits and the 
degree k = 6 and the MIRACL and PBC libraries (c/c++), an MN runs on an 800 MHz processor. To 
evaluate the length of the messages transmitted in the protocol execution, we assume that the lengths of 
pidi, ts and ID AP2 are four, two and four bytes, respectively. We notice that the computational time of 
our protocol and Tsai et a/.'s protocol are much lower than He et a/.'s protocol, due to their prime-order 
work groups. This is because the composite order in He et a/.'s protocol should be at least 1024-bit to 
be infeasible to factorize, while a 160-bit prime order is enough to achieve the same security level. An 
estimation [23] shows that the composite-order pairing is roughly 50-times slower than its prime-order 
counterpart. For security, both our scheme and Tsai et a/.'s protocol enjoy provable security, but 
He et a/.'s protocol does not. In terms of the secret key size, our protocol is superior to Tsai et a/.'s 
protocol and is the same as the original PairHand protocol [14]. As a result, our scheme can be easily 
implanted to the running environment of the original PairHand protocol without any change to the 
public and private parameters. 
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Table 1. Protocol comparisons. MN, mobile node; AP, access point. 





Heetal. [15] 


Tsai etal. [17] 


Ours 


The number of private keys 


1 


1 


1 


The number of Public keys 


1 


2 


1 


Provably secure 


No 


Yes 


Yes 


MN Anonymity 


Yes 


Yes 


Yes 


MN unlinkability 


Yes 


Yes 


Yes 


MN computational cost 


\T p + lT m + lT s 


!T p + lT m 


lT p + lT m 


The computation time consumption at an MN 


« 299.332 ms 


« 7.564 ms 


« 7.564 ms 


AP computational cost 


IT 


ir 

p 


IT 


The length of the transmitted messages 


166 bytes 


78 bytes 


78 bytes 


Work group 


composite order 


prime order 


prime order 



7. Conclusions 

In this paper, in reviewing the PairHand family protocols, we present a stronger key recovery attack on 
an improved PairHand protocol, which requires less signatures to be generated with the same private key 
compared with the existing attacks. Consequently, we present a new handover authentication protocol 
and prove its security in the random oracle model. Compared with the two latest handover authentication 
protocols, the proposed protocol has the advantages of efficiency and security. 
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